In order to intrude into a system or to start an attack (e.g., a denial of service attack), attackers attempt to determine information about network services available on a network in order to take advantage of security deficiencies of these network services. For example, network services using the TCP and UDP Internet protocols can be accessed via specific ports and the port assignment is generally known, for example the SMTP service generally is assigned to the TCP Port 25. Ports that provide network services on a network device may be referred to as “open,” since it is possible to establish a connection to the network service, whereas unused ports are referred to as “closed,” since attempts to connect with them will fail.
An attacker with access to a network may attempt to find open ports with the help of a particular software tool, referred to as a port scanner. A port scanner program tries to connect with several ports on the destination computer. If it is successful, the tool displays the relevant ports as open and the attacker obtains potentially useful information, showing which network services are available on the destination computer. There are currently 65535 distinct and usable port numbers for the TCP and UDP Internet protocols, and so the ports are typically scanned at very short intervals.
A conventional network monitor may detect an unusually large number of attempts to connect to services from the same source address as a port scan. When a port scan is detected, an action may be taken such as logging the scan, dropping packets from the port scanning device, or rejecting packets from the port scanning device. Thus, further port scan activity from the same source address may be blocked. In each case, there is the possibility of false positives, which would create problems for applications and users who have a legitimate need to conduct network activity that triggers conventional port scan detection.